The Ukraine war is fuelling and obscuring cyberattacks

Cyberattacks have largely fallen out of the headlines in the year since the war in Ukraine started, but the dangerous crossover between the two threats is increasingly apparent in the scale of disruption around the world. The former Dubai-based teacher Mark Steed found himself on the front line of these battles a little more than two years ago, and has since spoken out on the pitfalls facing an institution that finds its data locked away. At his Hong Kong international school, he decided not to devote scarce resources to paying the ransomware demands, even if that complicated the recovery operation facing his team. “The attack encrypted our local servers, preventing access to all of our admin systems that we hosted on-site, including our finance and HR records,” he wrote in last week’s Times Educational Supplement . “Given that the school was operational and there had been no data loss, we decided not to respond to the hackers’ demands that we pay them for the ability to unencrypt our files, nor did we report the incident to the police.” As cyberspace becomes more and more confrontational, it is not just headmasters at schools who are trying to work out appropriate responses. The war in Ukraine has seen a speeding up of the aggression against internet users there while also hogging the attention that might otherwise be devoted to these trends. Last week, there was a major attack on the City of London that originated in Russia. The divisions between Russia and the West are such that there is slim to no co-operation in these matters. The sanctions and other policies imposed as a result of the Ukraine conflict means there is no realistic prospect of this situation improving any time soon. Indeed, the opposition might be the case. The most recent attack took place against the vital infrastructure underpinning the City of London. Lockbit, a Russia-based hacker, targeted trading software provider Ion Group that provides what’s described as the plumbing systems that connect trading of shares, debt and derivatives. A total of 42 clients in financial markets lost data and one City insider said another escalation could take out “most of the derivatives trading” in London. The same hacking group caused major disruption with a cyberattack against Royal Mail, a British multinational postal service and courier company, last month. Local government is another target, with Hackney Council telling Wired magazine that it had not fully recovered from an October 2020 attack. In the same year, the unitary authority of Redcar and Cleveland lost £11 million ($13 million), forcing staff to revert to paper to communicate for a time. Over in the US, disruption targeting hospitals and health care has been a major issue and has been traced to the same sources. How deep the links are between these attacks and the current trends in war and diplomacy is under intense scrutiny. There is no mistaking that link in Ukraine itself, where a hacker group known as Sandworm has been directing incessant attacks. These include of variants of programmes with names such as CaddyWiper, HermeticWiper, NikoWiper and the energy sector-specific SDelete. Viktor Zhora, the deputy head of Ukraine’s cyber body, told a meeting in London last week that the cyber offensive his country faced was linked to the military action. “The quantity of the cyberattacks on Ukraine tripled last year, and their considerable share was co-ordinated with the other directions of military activities, such as missile strikes,” he said. The issues raised by the changing nature and rising volume of attacks have called into question how quickly states are evolving the doctrines of what is legitimate and legal cyber defence and offensive operations. Take the UK’s efforts to cultivate a role as an advocate for responsible state behaviour in cyberspace. Within the western alliance structures, this is crucial to the development of collaborative efforts to improve global cybersecurity. One question posed in London is if planners can develop a variation of its existing doctrines for offensive cyber operations in which it acknowledges the existence of special capabilities but does not say anything about these. One former official describes this as the Ronan Keating approach of "saying it best when saying nothing at all". UK legal officials have opened the space for this approach by drawing a line against foreign cyber operations that makes a political definition of sovereignty the determining factor. If the UK is coerced into a situation that causes it systematic problems by another state, it should have the right to act to reverse that situation. In other words, the scale and effect of a foreign cyber operation that disrupted its freedom to control vital matters, such as infrastructure, health or the economy, would all be factors in determining how the country responded. As a corollary, these factors would also act as restraint on the UK and shape international co-ordinated actions. Scaling up cyber policies is an urgent challenge. The issue is also obscured from view, just as much as the damage done by ongoing attacks is overshadowed by the war playing out in Ukraine. The dividing line between these two dangerous problems facing the world is increasingly hard to discern.